diff options
| author | brian <brian@FreeBSD.org> | 2009-06-25 16:15:39 +0000 |
|---|---|---|
| committer | brian <brian@FreeBSD.org> | 2009-06-25 16:15:39 +0000 |
| commit | 804f2f79eee18b6494ba08a9909d3cc4cface7cd (patch) | |
| tree | 9a6b7f4860169027c143248b8fa6f7a6afd15fc6 /usr.sbin/ypserv/Makefile.yp | |
| parent | e96ab5a0ecb1b0ab6ce67c702d929064312609b1 (diff) | |
| download | FreeBSD-src-804f2f79eee18b6494ba08a9909d3cc4cface7cd.zip FreeBSD-src-804f2f79eee18b6494ba08a9909d3cc4cface7cd.tar.gz | |
Support shadow.byname and shadow.byuid maps, protecting them by
insisting on privileged port access.
Include /var/yp/Makefile.local if it exists and suggest using
it to override /var/yp/Makefile behaviour.
Approved by: re (kib)
MFC after: 3 weeks
Diffstat (limited to 'usr.sbin/ypserv/Makefile.yp')
| -rw-r--r-- | usr.sbin/ypserv/Makefile.yp | 92 |
1 files changed, 71 insertions, 21 deletions
diff --git a/usr.sbin/ypserv/Makefile.yp b/usr.sbin/ypserv/Makefile.yp index 407663d..33ca444 100644 --- a/usr.sbin/ypserv/Makefile.yp +++ b/usr.sbin/ypserv/Makefile.yp @@ -11,33 +11,40 @@ # This Makefile can be modified to support more NIS maps if desired. # -# If this machine is an NIS master, comment out this next line so -# that changes to the NIS maps can be propagated to the slave servers. -# (By default we assume that we are only serving a small domain with -# only one server.) +# If this machine is an NIS master, reset this variable (NOPUSH=) +# in Makefile.local so that changes to the NIS maps can be propagated to +# the slave servers. (By default we assume that we are only serving a +# small domain with only one server.) # NOPUSH = "True" +# If this machine does not wish to generate a linux-style shadow map +# from the master.passwd file, reset this variable (SHADOW=) in +# Makefile.local. +SHADOW = "True" + # If you want to use a FreeBSD NIS server to serve non-FreeBSD clients # (i.e. clients who expect the password field in the passwd maps to be -# valid) then uncomment this line. This will cause $YPDIR/passwd to -# be generated with valid password fields. This is insecure: FreeBSD -# normally only serves the master.passwd maps (which have real encrypted -# passwords in them) to the superuser on other FreeBSD machines, but -# non-FreeBSD clients (e.g. SunOS, Solaris (without NIS+), IRIX, HP-UX, -# etc...) will only work properly in 'unsecure' mode. +# valid) then set this variable (UNSECURE="True") in Makefile.local. +# This will cause $YPDIR/passwd to be generated with valid password +# fields. This is insecure: FreeBSD normally only serves the +# master.passwd and shadow maps (which have real encrypted passwords +# in them) to the superuser on other FreeBSD machines, but non-FreeBSD +# clients (e.g. SunOS, Solaris (without NIS+), IRIX, HP-UX, etc...) +# will only work properly in 'unsecure' mode. # #UNSECURE = "True" # The following line encodes the YP_INTERDOMAIN key into the hosts.byname # and hosts.byaddr maps so that ypserv(8) will do DNS lookups to resolve -# hosts not in the current domain. Commenting this line out will disable -# the DNS lookups. +# hosts not in the current domain. Resetting this variable in +# Makefile.local (B=) will disable the DNS lookups. B=-b -# Normally, the master.passwd.* maps are guarded against access from -# non-privileged users. By commenting out the following line, the YP_SECURE -# key will be removed from these maps, allowing anyone to access them. +# Normally, the master.passwd.* and shadow.* maps are guarded against access +# from non-privileged users. By resetting S in Makefile.local (S=), the +# YP_SECURE key will be removed from these maps, allowing anyone to access +# them. S=-s # These are commands which this Makefile needs to properly rebuild the @@ -118,6 +125,17 @@ PUBLICKEY = $(YPSRCDIR)/publickey NETID = $(YPSRCDIR)/netid AMDHOST = $(YPSRCDIR)/amd.map +target: + @if [ ! -d $(DOMAIN) ]; then mkdir $(DOMAIN); fi; \ + cd $(DOMAIN) ; echo "NIS Map update started on `date` for domain $(DOMAIN)" ; \ + make -f ../Makefile all; echo "NIS Map update completed." + +# Read overrides. Note, the current directory will be /var/yp/<domain> +# when 'all' is built. +.if exists(${YPDIR}/Makefile.local) +.include "${YPDIR}/Makefile.local" +.endif + # List of maps that are always built. # If you want to omit some of them, feel free to comment # them out from this list. @@ -148,6 +166,9 @@ NETGROUP= /dev/null .if exists($(MASTER)) TARGETS+= passwd master.passwd netid +.if ${SHADOW} == "\"True\"" +TARGETS+= shadow +.endif .else MASTER= /dev/null TARGETS+= nopass @@ -171,11 +192,6 @@ TARGETS+= ipnodes IPNODES= /dev/null .endif -target: - @if [ ! -d $(DOMAIN) ]; then mkdir $(DOMAIN); fi; \ - cd $(DOMAIN) ; echo "NIS Map update started on `date` for domain $(DOMAIN)" ; \ - make -f ../Makefile all; echo "NIS Map update completed." - all: $(TARGETS) ethers: ethers.byname ethers.byaddr @@ -187,6 +203,7 @@ protocols: protocols.bynumber protocols.byname rpc: rpc.byname rpc.bynumber services: services.byname passwd: passwd.byname passwd.byuid +shadow: shadow.byname shadow.byuid group: group.byname group.bygid netgrp: netgroup netid: netid.byname @@ -207,6 +224,10 @@ pushpw: @$(DBLOAD) -c @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) master.passwd.byname ; fi @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) master.passwd.byuid ; fi +.if ${SHADOW} == "\"True\"" + @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) shadow.byname ; fi + @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) shadow.byuid ; fi +.endif @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) passwd.byname ; fi @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) passwd.byuid ; fi @@ -586,6 +607,36 @@ master.passwd.byuid: $(MASTER) .endif +shadow.byname: $(MASTER) + @echo "Updating $@..." +.if ${MASTER} == "/dev/null" + @echo "Master.passwd source file not found -- skipping" +.else + @$(AWK) -F: '{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \ + print $$1"\t"$$1":"$$2":12000:0:99999:7:::" }' $(MASTER) \ + | sed 's/\( [^:]*:\)\*:/\1!:/' \ + | $(DBLOAD) ${S} -f -i $(PASSWD) -o $(YPMAPDIR)/$@ - $(TMP); \ + $(RMV) $(TMP) $@ + @$(DBLOAD) -c + @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi + @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi +.endif + +shadow.byuid: $(MASTER) + @echo "Updating $@..." +.if ${MASTER} == "/dev/null" + @echo "Master.passwd source file not found -- skipping" +.else + @$(AWK) -F: '{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \ + print $$3"\t"$$1":"$$2":12000:0:99999:7:::" }' $(MASTER) \ + | sed 's/\( [^:]*:\)\*:/\1!:/' \ + | $(DBLOAD) ${S} -f -i $(PASSWD) -o $(YPMAPDIR)/$@ - $(TMP); \ + $(RMV) $(TMP) $@ + @$(DBLOAD) -c + @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi + @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi +.endif + amd.map: $(AMDHOST) @echo "Updating $@..." @$(AWK) '$$1 !~ "^#.*" { \ @@ -604,4 +655,3 @@ amd.map: $(AMDHOST) @$(DBLOAD) -c @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi - |
